LaCie 2big Network 2 Unauthenticated Remote Information Disclosure

Note that the device has a default “admin” account, and the default password is “admin”. But that isn’t needed to exploit this issue!

By loading the web interface of the device, the login page will appear. In the background, it causes your browser to make several API requests against the server as well. These requests are not over SSL, and can return sensitive information.